Cybersecurity researchers have recently uncovered a sophisticated attack technique that exploits misconfigured Microsoft Azure Arc deployments, enabling adversaries to escalate privileges from cloud environments to on-premises systems and maintain persistent access within enterprise infrastructures. (ibm.com)
Azure Arc is Microsoft's hybrid cloud management platform designed to extend Azure's native management capabilities to on-premises systems, Kubernetes clusters, and other non-Azure resources. While it aims to streamline hybrid infrastructure management, certain deployment mechanisms and configuration processes have inadvertently introduced new attack vectors.
Exploitation of Service Principal Credentials
The core of this attack technique revolves around the exploitation of Service Principal credentials, which are often hardcoded in deployment scripts or stored in accessible network shares. These credentials, intended for automated Arc client registration, can be retrieved by attackers who gain access to deployment infrastructure or policy configurations. Once obtained, these credentials can be leveraged to execute arbitrary code on Arc-managed systems through various Azure management interfaces.IBM analysts identified multiple deployment vectors that introduce security vulnerabilities, including:
- PowerShell Scripts with Embedded Secrets: Deployment scripts containing hardcoded Service Principal secrets.
- Misconfigured System Center Configuration Manager (SCCM) Deployments: SCCM deployments that store sensitive information insecurely.
- Group Policy Objects (GPOs) Storing Encrypted Credentials Using DPAPI-NG: GPOs that store encrypted Service Principal secrets accessible to any member of the domain computers group.
DPAPI-NG Exploitation and Credential Recovery
A significant finding involves the exploitation of DPAPI-NG encrypted secrets stored in Azure Arc deployment shares. When Arc is deployed via Group Policy, administrators create network shares containing deployment files, including an "encryptedServicePrincipalSecret" file protected by DPAPI-NG encryption. However, this encryption is configured to allow any member of the domain computers group to decrypt the secret, effectively making it accessible to any compromised system in the domain.The decryption process involves accessing the deployment share and using PowerShell commands to retrieve the encrypted blob. Attackers can execute the following technique from any system with NT_AUTHORITY\SYSTEM privileges:
Code:
$encryptedSecret = Get-Content (Join-Path $SourceFilesFullPath "encryptedServicePrincipalSecret")
# DPAPI-NG blob configured to allow any member of domain computers group to decryptImplications and Mitigation Strategies
The discovery of this attack technique underscores the critical importance of secure deployment practices and robust credential management in hybrid cloud environments. Organizations utilizing Azure Arc should take the following steps to mitigate potential risks:- Restrict Access to Deployment Scripts and Shares: Ensure that deployment scripts and network shares containing sensitive information are accessible only to authorized personnel and systems.
- Implement Least Privilege Access Controls: Assign roles and permissions based on the principle of least privilege, ensuring that Service Principals and other accounts have only the necessary permissions required for their function.
- Regularly Rotate and Secure Credentials: Implement a robust credential management strategy that includes regular rotation of Service Principal secrets and the use of secure storage mechanisms.
- Monitor and Audit Azure Arc Deployments: Continuously monitor Azure Arc deployments for signs of misconfiguration or unauthorized access, and conduct regular audits to ensure compliance with security best practices.
In conclusion, while Azure Arc offers powerful capabilities for managing hybrid infrastructures, it is imperative for organizations to implement stringent security measures during deployment and operation to prevent potential exploitation by adversaries.
Source: CyberSecurityNews Researchers Uncover New Technique to Exploit Azure Arc for Hybrid Escalation in Enterprise Environment and Maintain Persistence